[ale] Microsoft spam???

Jeff Hubbs hbbs at attbi.com
Sun Mar 10 18:54:37 EST 2002 


Steven A. DuChene wrote:
20020310182953.B13832 at lapsony.mydomain.here">
  I have received twice now a message titled:Internet Security Updatefrom"Microsoft Corporation Security Center" <rdquest12 at microsoft.com>Each time it is addressed to"Microsoft Customer" <'customer at yourdomain.com'>each time I look at the received headers to see where it is coming fromand see lots of strange places it has been. None of them are Microsoft.I have the spaminator from mindspring/earthlink turned on for my accountbut even though this meets all my criteria as spam (something I don'twant and it isn't addressed to me) earthlink's spaminator misses it eachtime. Does anyone know anything about tuning the spaminator to catch thissort of thing?BTW, each time it included an attached file q216309.exeSince I don't 
have any MS operating systems installed here I can't be foolishenough to open this up where it will tell me anything. Anyone here of thisbefore? Is this an exercise in sovial engineering to get people to apply some"patch" that will do something malisious to their systems?
  
  
Steven -
  
See Bob Toxen's message from yesterday, reproduced below:
  
  
  From: "Microsoft Corporation Security Center" <rdquest12 at microsoft.com>
To: "Microsoft Customer" <'customer at yourdomain.com'>

Microsoft Customer,

     this is the latest version of security update, the 
known security vulnerabilities affecting Internet Explorer and 
MS Outlook/Express as well as six new vulnerabilities, and is 
discussed in Microsoft Security Bulletin MS02-005. Install now to 
protect your computer from these vulnerabilities, the most serious of which 
could allow an attacker to run code on your computer.


Description of several well-know vulnerabilities:

- - "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment"
vulnerability.  If a malicious user sends an affected HTML e-mail or
hosts an affected e-mail on a Web site, and a user opens the e-mail or
visits the Web site, Internet Explorer automatically runs the executable
on the user's computer.

- - A vulnerability that could allow an unauthorized user to learn the location
of cached content on your computer. This could enable the unauthorized
user to launch compiled HTML Help (.chm) files that contain shortcuts to
executables, thereby enabling the unauthorized user to run the executables
on your computer. 

- - A new variant of the "Frame Domain Verification" vulnerability could enable a 
malicious Web site operator to open two browser windows, one in the Web site's 
domain and the other on your local file system, and to pass information from 
your computer to the Web site.

- - CLSID extension vulnerability. Attachments which end with a CLSID file extension 
do not show the actual full extension of the file when saved and viewed with 
Windows Explorer. This allows dangerous file types to look as though they are simple, 
harmless files - such as JPG or WAV files - that do not need to be blocked.


System requirements:
Versions of Windows no earlier than Windows 95. 

This update applies to:
Versions of Internet Explorer no earlier than 4.01
Versions of MS Outlook no earlier than 8.00
Versions of MS Outlook Express no earlier than 4.01

How to install
Run attached file q216309.exe

How to use
You don't need to do anything after installing this item. 


For more information about these issues, read Microsoft Security Bulletin MS02-005, or visit link below.
http://www.microsoft.com/windows/ie/downloads/critical/default.asp
If you have some questions about this article contact us at rdquest12 at microsoft.com

Thank you for using Microsoft products.

With friendly greetings,
MS Internet Security Center.
- ----------------------------------------
- ----------------------------------------
Microsoft is registered trademark of Microsoft Corporation.
Windows and Outlook are trademarks of Microsoft Corporation.

****
This is Bob now.  This clever bit of Social Engineering was to get you
to load the virus q216309.exe that was its attachment.  It did show as
being from "Microsoft Corporation Security Center" <rdquest12 at microsoft.com>
which cleverly listed a return email address at Microsoft (and I'm not
dumb enough to run binaries from unconfirmed sources).

I recognized it as a virus only because I'm not on any Microsoft customer
list and my analysis of the headers showed it as being sent from
the University of California at Davis.

Microsoft's Security people cryptographically sign all of their email
with PGP.  Don't even think of trusting any email containing possibly
dangerous attachments without a valid signature.  I'm working on an
virus filter as an add on to my Firewall/VPN products.

Bob

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.

More information about the Ale mailing list